Microsoft Releases Patch for ASP.NET Flaw

Microsoft released an "important" patch to address an information disclosure security vulnerability associated with ASP.NET systems.

The out-of-band patch is currently available for supported Windows systems from the Microsoft Download Center page (look for entries dated Sept. 27). Details about the patch are described in security bulletin MS10-070, which was released today. Microsoft explained in that security bulletin that the patch was released through its Download Center to help customers apply the fix as soon as possible.

Dave Forstrom, director of trustworthy computing at Microsoft, stated in a blog post today that Microsoft will provide the patch through its usual automatic distribution channels in a couple of days after first testing those distribution methods.

The patch is mostly aimed at IT pros who maintain servers using ASP.NET, which depends on the Internet Information Services component on Windows Server operating systems. To a lesser degree, some hobbyist users might run ASP.NET on Windows desktop operating systems, and those sorts of installations also are subject to the vulnerability.

According to a blog post by Scott Guthrie, corporate vice president of Microsoft's .NET developer platform, "the patch does not require any IIS or ASP.NET code or configuration changes." He said that once the patch is applied, the workarounds that Microsoft earlier recommended in its various blog posts will "no longer be required."

Commenting on the patch release, Wolfgang Kandek, CTO at software security firm Qualys, said that IT pros should keep the Microsoft workarounds in place if they have applied them and then test the new patch. He did not recommend undoing the workarounds.

"Those workarounds that Microsoft had initially specified, those are still valid. [People] should leave those in if they can," Kandek said, in phone interview. "If [users] had to change the error page, maybe they want different error pages for functional reasons, but those were good things that Microsoft provided. They are best practices anyway, where you don't want to give too much information about the errors that happen within the system."

Microsoft's workarounds are aimed at curtailing the details communicated by the server to the client when the server encounters errors. This vulnerability is associated with an "oracle" in the server that has been spilling too many security details, allowing hackers an opportunity to establish access rights after repeatedly sending malformed requests to the server.

"The problem is that applications that have been developed under ASP.NET can be 'convinced' to disclose information," Kandek explained. "I think that's why Microsoft considers this only an 'important' patch. Depending on the application, that information can be very important, even critical."

Microsoft's patch appears to add a digital signature, Kandek said, which may not be a bulletproof solution "but it seems to be the accepted structured way of taking care of that vulnerability." The exploit was recently demonstrated by two security researchers, Thai Duong and Juliano Rizzo. However, Kandek said that the technology to carry out the exploit "was first mentioned in 2002 in a research paper."

One way that IT pros can tell if their servers have been attacked is by reviewing their server logs, Kandek explained. The aim of the attacks is to get enough information to impersonate the administrator of the server.

"Many thousands of requests are necessary [for the attack]," he said, "and all of them end in an error. The demo that I saw took like 38,000 requests, or something like that."

The vulnerability was first discovered associated with the Java Server Faces Framework, so similar client-server setups could be vulnerable. Antimalware could not have helped ward off these kinds of attacks, but some Web application firewalls could help by supplying additional encryption, Kandek said.